G4H WebcastAjin Abraham

Automated Security Analysis of Mobile Applications with Mobile

Security Framework.

Mobile Security Framework

Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis.

Inputs

• Android, iOS binaries (APK, IPA)• Android Zipped Source Code (eclipse, Android Studio)• iOS Zipped Source Code

• Android Binary - Static and Dynamic Analysis• Android Source – Static Analysis• iOS Binary and Source – Static Analysis

(TIZEN support, on it’s way)

Open Source Project

• Feel free to contribute: • Source:

https://github.com/ajinabraham/YSO-Mobile-Security-Framework

• Issues: https://github.com/ajinabraham/YSO-Mobile-Security-Framework/issues

Setting it Up

Android

• Python 2.7• Django 1.8• Oracle Java - JDK 1.7+

iOS

• Python 2.7• Django 1.8• Oracle Java - JDK 1.7+• Mac

Static Analysis

• Android– INFORMATION GATHERING– DECOMPILE TO JAVA & SMALI– PERMISSION ANALYSIS– MANIFEST ANALYSIS– JAVA CODE ANALYSIS– ANDROID API INFO– FILE ANALYSIS– URLS, EMAIL, FILES, STRINGS, ANDROID COMPONENTS– REPORT GENERATION

DEMO

• Static Analysis of APK• Static Analysis of Zipped Source Code

Static Analysis• iOS - Binary

– BASIC INFORMATION– BINARY ANALYSIS– FILE ANALYSIS– LIBRARIES– FILES– REPORT GENERATION

• iOS - Source– BASIC INFORMATION– CODE ANALYSIS– iOS API INFORMATION– FILE ANALYSIS– URL, EMAIL, FILES, LIBRARIES– REPORT GENERATION

DEMO

• Static Analysis of IPA Binary• Static Analysis of Zipped Source Code

Dynamic Analyzer - Architecture

Dynamic AnalyzerAGENTS

Install and Run APK

HTTP(S) Proxy

Invoke Agents in VM

Results

HTTP(S) Traffic

Android VM

Application Data

Agent Collected Information

Start HTTP(S) Web Proxy

Dynamic Analysis

• SCREENSHOT• HTTP(S) TRAFFIC• LOGCAT and DUMPSYS• DROIDMON API MONITOR• DYNAMIC URLS and EMAILS• DUMPED APPLICATION DATA• FILE ANALYSIS ON APPLICATION DATA• REPORT GENERATION• UNDER DEVELOPMENT

DEMO

• Under Dev + • Lot’s• Hoping that things will work !

Interesting Facts

• Free and Open Source• Support VM, and Rooted Phones with our agents

installed.• Complete Mobile Application Security Testing(Android, iOS and Tizen*).• Reporting

Future Plans- Pentesting Server Side components of Hybrid Applications.-Exploitation Module.

G4H Mobile Security CTF

GETSECRET.apk SENDSECRET.apk

G4H Mobile Security CTF

• CTF Entry point is GETSECRET, you need to capture the secret send from SENDSECRET to GET Secret.

• Vulnerabilities.

SENDSECRETExported Activity

.ValidateAccessLogical Vulnerability

Send secret to any application with package name as

opensecurity.getsecret and Activity name as

GetFlag

GETSECRETHardcoded Password

LoginActivityExported Activities

AskSecretGetFlag

Logging Sensitive InformationLogging the Secret

G4H - CTF- How to Solve

1. Reversing DexGuard, find the logic, reverse the hardcoded secret to decrypt the AES encrypted flag

2. Bypass Login of GETSECRET - Wait till the Random no matches. -> SendSecret sends the Secret. Collect the Secret form Log and Enter it in GetFlag activity to get the Flag.

3. Easiest - Patch the APK and recompile it

Sorry

• Can’t cover Reversing DexGuard.• Blog post removed!• The license I have, deny reversing DexGuard

technology.

Thanks

• G4H Team• Bharadwaj Machiraju

Contact:@ajinabrahamajin25@gmail.comhttp://opensecurity.in